Original reporting and feature articles on the latest privacy developments

What makes a model privacy program?

As data protection and privacy concerns continue to expand throughout the world, more and more organizations are finding they need to implement new or improve outdated privacy programs. Instead of “reinventing the wheel,” privacy professionals can look toward other model programs and learn key elements to ensure an effective program. The Privacy Advisor recently caught up with several privacy experts to discover some important components that can help engender a successful program.

Generating connectivityPrivacy professionals have their hands full when implementing a privacy program. It’s difficult and often thankless work that requires extensive knowledge, savvy and creativity. In addition to ensuring an organization is compliant with the appropriate regulations, privacy professionals need to create a mission statement and policy framework, train employees and make it operational. No small task, by any means. However, simply creating a privacy framework is not the end of the process—in a sense, it’s just the beginning.

“If we want to talk about a successful program, I think we have to look for connections to other parts of the organization,” says Sagi Leizerov, CIPP.

Leizerov, executive director of advisory services at Ernst & Young, says that a privacy office can have all of the necessary program elements in place—procedures, controls, managed third parties—but in order to truly make a program effective, a privacy department needs to establish two essential connections: one between the program and the organization’s key stakeholders and a second within the business where information is being managed. He says that a privacy team can have experience and in-depth knowledge, but if leadership does not buy into the program, or if employees are not practicing the program’s policies, then the program will fail.

As vice president of customer services and chief privacy officer of 2011 HP-IAPP Privacy Innovation Award winner, Ontario Telemedicine Network, Norine Menzies-Primeau, CIPP/C, has an essential position to affect change within her organization. She reports to both the CEO and the board of trustees.

“I can be the watchdog,” she says. “If we don’t have privacy, we have nothing. It’s a fundamental business thing…Once I got it set up strategically, then stakeholders rallied around it. It saved us money in labor and made good business sense.”

Building trustMenzies-Primeau notes that, along with having influence with the organization’s stakeholders, a team approach to meeting the program’s privacy goals is paramount. “Privacy was always seen as a barrier” by other parts of the organization, so it’s important, she says, to build trust with these departments.

Menzies-Primeau says that she teaches her staff about compromise and exercising a “softer approach” when dealing with other departments. If the other departments feel they are a partner in the process, then the program’s initiatives won’t be seen as such an intrusive barrier.

A concrete example of the power of trust among departments is seen through an experience Menzies-Primeau had while analyzing the organization’s breach reports. Initially she noticed there were only three reported breaches. With hundreds of thousands of faxes, she had trouble believing there had been so few.

In response, she went back to the organization’s employees, telling them, “You have to trust us, so you need to report breaches.”

The effect became immediately clear. “We were paralyzed with breach reports, but that’s how we started turning things around—we built trust.”

Menzies-Primeau says the best advice she received came from another CPO who said, “You have to be comfortable being uncomfortable.” She says she tried to reinforce that mantra with her staff. “Know that an incident will happen. Do the best you can and defend your position,” she says.

As founder and partner of the Ponemon Institute, Larry Ponemon, CIPP, has conducted extensive benchmarking of companies’ privacy practices.

“We’ve learned, in general, organizations that are doing it right spend considerable time and effort training their employees about privacy,” he says, adding that when there are errors, “A lot of times, it’s good people making mistakes. We see this over and over again. Organizations need to spend real time and resources on educating people.”

Measuring accomplishmentsIn addition to educating staff across the organization, Ponemon says it’s important to monitor and make sure the work environment is compliant. He points out that monitoring whether employees are following policies helps demonstrate the effectiveness of a program. Additionally, organizations should take advantage of technology to monitor and understand data.

“Technology is important,” Ponemon says. “It just takes one rogue employee to make huge mistakes.” He recommends that companies use encryption and data protection technology.

Ponemon also encourages measuring the program’s accomplishments—“objectively assessing your performance” —by using metrics. He recommends checking to see if goals are being met. For example, a privacy officer could decide that 80 percent of the company’s employees should be appropriately trained in privacy. He suggests companies measure the program’s effectiveness by giving occasional quizzes and implementing a grade level that proves policies are known and will be followed.

CIPP certification is another objective method of ensuring employees are “on the same page” and share a common body of knowledge, according to Ponemon.

Kirsten Bock, international coordinator at the Independent Centre for Privacy Protection (ULD)—the privacy regulator for the German state of Schelswig-Holstein—and head of the EuroPriSe seal program, agrees.

“To create a model privacy program, it is important to define protection goals that a company will strive to achieve as well as measures to evaluate the progress and achievements…Clear and defined processes are a key organizational value contributing to a model privacy program,” Bock says. “These need to be accompanied by customer and employee respect.”

Bock sees a connection between privacy protection and business management. “Data protection is a horizontal issue and has cross-sectional character. It is relevant for all aspects of process management. The core issue here is to create transparency and thus controllability for processes,” she says. “If you have this in mind, data protection can be a huge contribution to good management practices.”

Bock also notes that “data protection today is closely linked to IT and thus has to deal with the rapid developments in technologies.”

Embedding PrivacyThe idea of embedding privacy into the foundations of data protection and product development is something that many privacy professionals—including Ponemon and Menzies-Primeau—agree upon.

“Good companies are saying, ‘before we sell it,’ let’s build privacy into the technology we’re developing,” Ponemon says, adding that it’s not always an easy thing to do but if done right “it makes business sense.”

Menzies-Primeau says that, since technology is driving industry, it’s important for the privacy department to have a conduit of communication with the IT department. One of the biggest challenges to embedding privacy, she says, is getting technology teams to understand the goals of the privacy department. She notes that business analysts are people who can “speak both languages.” By understanding the technology, analysts can then put it in business terms and vice versa.

“Understand the language and orientation of different departments,” Menzies-Primeau says, “because the organization needs to have conduits to bridge that gap.”

Written By

0 Comments

Related

The Republican National Committee (RNC) has offered to share its voter file with Donald Trump’s presidential campaign, Yahoo Politics reports. The RNC has the names, voting history and consumer data of roughly 250 million Americans, the report states. The Trump campaign’s attorneys are reviewing the data-sharing agreement, which has been offered to all 17 of the Republican presidential candidates, 11 of whom signed off on it. The RNC said every indication points to Trump entering into the agreem...
Read more

EDRi’s Protecting Digital Freedom reports the European Commission (EC) has said it “will continue monitoring legislative developments at the national level” for EU data retention laws. The EC sent the response “to the letter we sent on 2 July 2015 asking the commission to investigate illegal data retention laws in the European Union,” the report states, citing an analysis from EDRi and the Electronic Frontier Finland, IT-Political Association of Denmark, Open Rights Group, Panoptykon and others ...
Read more

At the 2015 ALP National Conference, NSW Labor member Jo Haylen called for reform of the country’s mandatory data retention legislation, arguing that the law asks Australians to "sacrifice their privacy supposedly for the sake of security,” CNET reports. “Proponents of metadata retention say those who do nothing wrong have nothing to fear, but these laws help create a culture of fear,” Haylen said, describing it as a “culture where we are all under suspicion and subject to heightened mass survei...
Read more

In the wake of consumer backlash against Uber’s privacy policy and move to 24/7 data collection, the company needs to communicate how it intends to utilize it as well as separate personally identifiable information from “raw sensor data,” Sense360 CEO Eli Portnoy writes for TechCrunch. "Asking for background location isn’t inherently evil, especially if it is used to create a better consumer experience,” he writes. “Now is the time to establish the practices for how best to protect consumer priv...
Read more

Google has been given leave to appeal a decision that users can claim damages for a breach of the UK Data Protection Act (DPA). The Supreme Court ruled on Tuesday that the Google v. Vidal-Hall case, referred to by IAPP VP of Research and Education Omer Tene as the "European Privacy Judicial Decision of a Decade," can go back to court yet again
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.